IPSec protocol family is a set of network secure access protocols widely-used in IP layer. By using IKE (Internet Key Exchange) protocol, IPSec protocol establishes dedicated a secure communication tunnel between two termination devices for a particular secure communication through negotiation. After that, IP packets belonging to said particular secure communication will be transmitted between the two termination devices at the ends of the tunnel. For conciseness, an IP packet based on IPSec protocol for the communication via secure communication tunnel will be referred to as a tunnel packet, unless otherwise specified.
In particular, after a secure communication tunnel has been established, before forwarding an IP packet belonging to the particular communication, the source termination device, namely the termination device which the corresponding host of the source address of the IP packet corresponds to, should:
1. judging, whether the IP packet belongs to a particular secure communication, i.e. secure communication based IPSec protocol family, according to relevant information such as the destination address and source address of the tunnel packet.
2. if the IP packet belongs to a particular secure communication, performing encryption, encapsulation etc. on the IP packet by using the Security Association (SA) including encryption key and encryption algorithm which is in correspondence with the particular secure communication. Then, the IP packet becomes a tunnel packet.
3. The tunnel packet goes through the Internet via the secure communication tunnel corresponding to said particular secure communication and gets to the destination termination device, namely the termination device which the corresponding host of the source address of the IP packet belongs to.
After receiving the tunnel packet, the destination termination device will, according to the corresponding Security Association, perform decryption etc. on the packet and forward the decrypted packet to the host in correspondence with the destination address of the packet.
In practice, the tunnel packet may have errors for reasons like hack attack, the error of the computer system itself, the mismatch of the encryption and decryption algorithm etc. The errors will fall into 6 categories as below:
(1) wrong SPI (security policy indication);
(2) verification failed;
(3) decapsulation failed;
(4) decryption failed;
(5) verification needed;
(6) authorization needed.
For the convenience in diagnosing and eliminating errors, when a destination termination device finds error(s) in a tunnel packet, it needs to report the corresponding error(s) to the source termination device. According to the error report, the source termination device can be aware of the errors in the packet it has sent and try to get rid of them.
In the prior art, the errors of a tunnel packet are reported by the destination termination device to the source termination device via ICMP (Internet Control Message Protocol) security failure message. However, the existing ICMP security failure message has many drawbacks, i.e.: the granularity of error type reported to source termination device is so large (not quite detailed) that it goes beyond the secure access granularity provided by IPSec protocols family. Hence, once a tunnel packet encounters errors, based on existing error reporting schemes, after the destination termination device sends back the ICMP security failure message, the source termination device can only know the rough error type of the tunnel packet, it is not possible for it to ascertain the error accurately.
Therefore, people need an optimized error reporting solution, which can make the destination termination device report the errors of a tunnel packet accurately, so that it becomes more accurate and convenient for the source termination device to ascertain and diagnose the error.